# Enumeration ## Tools SharpView: (aggressor ) PowerView: (tips ) (dev: ) ADModule: (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL) ## Domain #### Get Domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomain Get-NetDomain -Domain domain.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADDomain Get-ADDomain -Identity domain.local ``` {% endtab %} {% endtabs %} #### Get Domain SID {% tabs %} {% tab title="PowerView" %} ``` Get-DomainSID Get-DomainSID -Domain domain.local ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-ADDomain).DomainSID (Get-ADDomain -Identity domain.local).DomainSID ``` {% endtab %} {% endtabs %} #### Get Domain Policy {% tabs %} {% tab title="PowerView" %} ``` Get-DomainPolicy (Get-DomainPolicy)."system access" (Get-DomainPolicy –domain moneycorp.local)."system access" ``` {% endtab %} {% endtabs %} #### Get DCs {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomainController Get-NetDomainController –Domain moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADDomainController Get-ADDomainController -DomainName moneycorp.local -Discover ``` {% endtab %} {% endtabs %} ## Users #### Get a list of users in the current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetUser Get-NetUser –Username student1 ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter * -Properties * Get-ADUser -Identity student1 -Properties * ``` {% endtab %} {% endtabs %} #### Get a list of all properties for users within domain {% tabs %} {% tab title="PowerView" %} ``` # Lists all properties available Get-UserProperty # Gets the value of a property for all users in domain Get-UserProperty –Properties pwdlastset ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member MemberType *Property | select Name Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}} ``` {% endtab %} {% endtabs %} #### Search for particular string in users attribute {% tabs %} {% tab title="PowerView" %} ``` Find-UserField -SearchField Description -SearchTerm "built" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter 'Description -like "*built*"' Properties Description | select name,Description ``` {% endtab %} {% endtabs %} ## Groups #### Get all groups in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup Get-NetGroup –Domain Get-NetGroup –FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroup -Filter * | select Name Get-ADGroup -Filter * -Properties * ``` {% endtab %} {% endtabs %} #### Get all groups containing admin in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup *admin* ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroup -Filter 'Name -like "*admin*"' | select Name ``` {% endtab %} {% endtabs %} #### Get members of domain admin group {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroupMember -GroupName "Domain Admins" -Recurse ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADGroupMember -Identity "Domain Admins" -Recursive ``` {% endtab %} {% endtabs %} #### Get the group membership for a user {% tabs %} {% tab title="PowerView" %} ``` Get-NetGroup –UserName "student1" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADPrincipalGroupMembership -Identity student1 ``` {% endtab %} {% endtabs %} ## Computers / Sessions #### Get a list of computers in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetComputer Get-NetComputer –OperatingSystem "*Server 2016*" Get-NetComputer -Ping Get-NetComputer -FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName} Get-ADComputer -Filter * -Properties ``` {% endtab %} {% endtabs %} #### List all local groups on a machine (needs admin privs to query non-dc machines) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups ``` {% endtab %} {% endtabs %} #### List members of local groups on a machine (needs admin privs on non-dc machines) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse ``` {% endtab %} {% endtabs %} #### Get actively logged on users on target (needs admin rights on target) {% tabs %} {% tab title="PowerView" %} ``` Get-NetLoggedon –ComputerName ``` {% endtab %} {% endtabs %} #### Get locally logged on users on target (needs remote registry enabled (started by default on servers)) {% tabs %} {% tab title="PowerView" %} ``` Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Get the last logged on user on target (needs admin rights and remote registry enabled) {% tabs %} {% tab title="PowerView" %} ``` Get-LastLoggedOn –ComputerName ``` {% endtab %} {% endtabs %} ## Files #### Find shares on hosts in current domain {% tabs %} {% tab title="PowerView" %} ``` Invoke-ShareFinder –Verbose ``` {% endtab %} {% endtabs %} #### Find sensitive files on computers within domain {% tabs %} {% tab title="PowerView" %} ``` Invoke-FileFinder –Verbose ``` {% endtab %} {% endtabs %} #### Get all file servers of domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetFileServer ``` {% endtab %} {% endtabs %} ## GPO / OU #### Get list of GPO in current domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPO Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-GPO -All (GroupPolicy module) Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP) ``` {% endtab %} {% endtabs %} #### Get GPO which use restricted groups or groups.xml for interesting users {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPOGroup ``` {% endtab %} {% endtabs %} #### Get users which are in a local group of a machine using GPO {% tabs %} {% tab title="PowerView" %} ``` Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Find machines where given user is a member of a specific group {% tabs %} {% tab title="PowerView" %} ``` Find-GPOLocation -UserName student1 -Verbose ``` {% endtab %} {% endtabs %} #### Get OUs in a Domain {% tabs %} {% tab title="PowerView" %} ``` Get-NetOU -FullData ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADOrganizationalUnit -Filter * -Properties * ``` {% endtab %} {% endtabs %} #### Get GPO applied on an OU {% tabs %} {% tab title="PowerView" %} ``` Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}" ``` {% endtab %} {% tab title="ADModule" %} ``` Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081 (GroupPolicy module) ``` {% endtab %} {% endtabs %} ## ACLs #### Get ACLs associated with a specific object {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp ,DC=local').Access ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specific prefix to be used for search {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specified LDAP path to be used for search {% tabs %} {% tab title="PowerView" %} ``` Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose ``` {% endtab %} {% endtabs %} #### Search for interesting ACEs {% tabs %} {% tab title="PowerView" %} ``` Invoke-ACLScanner -ResolveGUIDs ``` {% endtab %} {% endtabs %} #### Get the ACLs associated with the specified path {% tabs %} {% tab title="PowerView" %} ``` Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol" ``` {% endtab %} {% endtabs %} ## Trusts #### Domain Trust Mapping {% tabs %} {% tab title="PowerView" %} ``` Get-NetDomainTrust Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADTrust Get-ADTrust –Identity us.dollarcorp.moneycorp.local ``` {% endtab %} {% endtabs %} #### Forest Mapping {% tabs %} {% tab title="PowerView" %} ``` Get-NetForest Get-NetForest –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADForest Get-ADForest –Identity eurocorp.local ``` {% endtab %} {% endtabs %} #### Get all domains in current forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestDomain Get-NetForestDomain –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` (Get-ADForest).Domains ``` {% endtab %} {% endtabs %} #### Get all global catalogues for the current forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestCatalog Get-NetForestCatalog –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADForest | select -ExpandProperty GlobalCatalogs ``` {% endtab %} {% endtabs %} #### Map trusts of a forest {% tabs %} {% tab title="PowerView" %} ``` Get-NetForestTrust Get-NetForestTrust –Forest eurocorp.local ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ``` {% endtab %} {% endtabs %} ## Scripts #### Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!) {% tabs %} {% tab title="PowerView" %} ``` Find-LocalAdminAccess –Verbose Alternative: Find-WMILocalAdminAccess.ps1 ``` {% endtab %} {% endtabs %} #### Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.) {% tabs %} {% tab title="PowerView" %} ``` Invoke-EnumerateLocalAdmin –Verbose ``` {% endtab %} {% endtabs %} #### Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine). {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter Invoke-UserHunter -GroupName "RDPUsers" ``` {% endtab %} {% endtabs %} #### Confirm admin access {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter -CheckAccess ``` {% endtab %} {% endtabs %} #### Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list *only* of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.) {% tabs %} {% tab title="PowerView" %} ``` Invoke-UserHunter -Stealth ``` {% endtab %} {% endtabs %} ## PrivEsc #### Unconstrained Delegation {% tabs %} {% tab title="PowerView" %} ``` Get-NetComputer -UnConstrained Get-DomainUser -AllowDelegation -AdminCount ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADComputer -Filter {TrustedForDelegation -eq $True} Get-ADUser -Filter {TrustedForDelegation -eq $True} ``` {% endtab %} {% endtabs %} #### Constrained Delegation {% tabs %} {% tab title="PowerView" %} ``` Get-DomainUser –TrustedToAuth Get-DomainComputer –TrustedToAuth ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` {% endtab %} {% endtabs %} #### ASREP Roasting {% tabs %} {% tab title="PowerView" %} ``` Get-DomainUser -PreauthNotRequired -Verbose ``` {% endtab %} {% tab title="ADModule" %} ``` Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} Properties DoesNotRequirePreAuth ``` {% endtab %} {% endtabs %} #### Clear Passwords {% tabs %} {% tab title="PowerView" %} ``` $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.